2/12/2014

At a White House ceremony, Secretary of Homeland Security Jeh Johnson touted the release of the administration's cyber security blueprint as a much needed guide for protecting the nation's critical infrastructure.

The highly anticipated "framework" for cyber security comes a year after the president issued an executive order directing the National Institutes of Standards and Technology to produce voluntary guidelines for protecting critical information networks. The president put out the executive order after cyber security legislation stalled in the Senate and saw no prospect of new legislation in the near term.

The blueprint unveiled Feb. 12 draws from industry "best practices" and generally has been described by experts as a useful first step that, over time, could help develop stronger protections against cyber attacks and boost cooperation between the government and the private sector.

"The cyber security framework is a good start at providing all organizations with information on practices that should improve overall cyber hygiene," Sedar LaBarre, of Booz Allen Hamilton, wrote in a blog post.

Industry experts said it is remarkable that NIST was able to produce this blueprint in just one year, with input from thousands of companies and universities.

The framework has spurred a heated debate in Washington about the need for cyber security regulations and policies at a time of growing threats such as malware, hackers and spies. Critics have questioned the value of voluntary guidelines and the absence of incentives for companies to adopt the framework. Policy makers at the White House and on Capitol Hill still disagree on whether cyber security should be mandated by the federal government or be treated as a private sector initiative.

"Some of this is going to be a work in progress," said Samuel S. Visner, vice president and general manager for global cyber security at CSC, in Falls Church, Va. This document should be seen as the beginning of what could be a long road toward the creation of cyber security standards for different industry sectors, he said in an interview.

The administration should be credited for providing valuable data to help infrastructure owners and mainstream industries build cyber protections, Visner said. Of note, NIST is not calling for the creation of a new regulatory structure, although DHS is responsible for coordination, he said. It pays "due respect" to sector specific agencies’ roles in overseeing cyber security.

The automotive supply chain for instance, would work directly with the Transportation Department. "The standards are to be implemented by the infrastructure owners and operators with the support of the sector-specific agencies."

It is clear that there is additional work to be done, Visner said. The framework is a valuable vehicle to raise awareness that cyber security is in the public interest, he added. The framework does include an annex on protecting privacy and civil liberties.

“One of the key goals of advancing this nation’s cyber security is building trust and relationships between the government and the private sector,” Johnson said Feb. 12. “Part of that effort includes heightening awareness about the cyber security threat, in plain and simple terms the public can appreciate.”

Industry groups such as the Internet Security Alliance have disputed the practical value of the NIST framework. “Sophisticated attackers, including nation-states and nation-state affiliated sources, and increasingly criminal organizations, will not be substantially deterred by the basic standards and practices in the NIST framework,” said an ISA policy paper.

Anyone who expected NIST to provide immediate solutions missed the point, Visner said. "That was not the goal," he added. "It sets up the process for standards to be generated. This is not a regulatory document."

Setting standards takes time, and they have to come from industry, he said. "I don't think the framework was supposed to create standards." This should not be about penalizing or incentivizing anyone, said Visner. If a company can improve its cyber security, the cost would be part of the business model.

The challenge of developing standards only will become more difficult as cyber threats multiply — from hackers to insider leakers like Edward Snowden to industrial spies. "It is too soon to tell if the framework can address all this," said Visner. Despite many unanswered questions, he added, "I think the glass is well more than half full."

Sanford Reback, senior technology analyst at Bloomberg Government, said he expects DHS officials to begin a major outreach effort to encourage companies to adopt the framework. “The administration is limited in the incentives it can provide to companies to use the framework,” he said Feb. 6 during a Bloomberg webinar. One of the most divisive issues that stalled cyber security legislation last year was disagreement on whether the government could offer companies liability protection in exchange for sharing information. “That's not something that the Obama administration could provide, although it would be an important incentive,” he said. One question now is how the NIST framework might influence future cyber legislation, if Congress decides to bring it back.

Danielle Kriz, director of global cyber security policy at the Information Technology Industry Council, said Washington tends to get worked up about these initiatives. She credited the administration for trying to create a “culture of cyber security,” regardless of whether one finds the framework useful. Although the blueprint is aimed at critical infrastructure, it could be applicable to any sector, she said.

LaBarre said some industries will move quickly to use the framework while others will consider the return on investment. “Booz Allen expects more dialogue on how the cyber security community can bridge the gap between fast-changing technology and risk management so organizations of any type or size in industry and government are prepared for the ongoing waves of cyber attacks.”

Speaking at the White House Feb. 12, Johnson announced that DHS now offers free cyber security help to companies that provide critical services. “They will have direct access to cyber experts at DHS at no cost,” he said. The program, called Critical Infrastructure Cyber Community, or “C Cubed” was launched this month to coincide with the release of the NIST framework. “The C3 program gives companies that provide critical services like cell phones, email, banking, energy, and state and local governments, direct access to cyber security experts within the Department of Homeland Security,” Johnson said. C3 is also available for immediate advice and assistance in the event of an actual cyber attack.

Name: *

eMail *

Comment *

Title

Attachments

Use this page to add attachments to an item.

Name

Name: *

eMail *

Comment *

Please enter the text displayed in the image.
The picture contains 6 characters.

Characters *

Legal Notice
*

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.